The given tar file consists of a packaet capture file and a binary.

We take a quick glance at `packet.pcap` first, and found that the server received many requests. It seems that no clues can be found here now.


After that, we decided to analyze the `malware`, and found that what the malware actually does is listening to `/var/log/apache2/access.log` and does something magic upon receiving new requests.

Also, we've found there's a `system` call inside the malware, so we guess that the main point of the malware is to sniff the requests, and then transform the requests to the argument of `system` function call.


The main logic to process the requests is a little bit messy. (It should be easier to analyze dynamically with gdb.)


We've transffered the messy code to code with better readibility which looks like:
```python=
alpha_num = "0123456789abcdefghijklmnopqrstuvwxyz"

for i in range(0x24): # test input_url
if input_url == file[k]:
tmp[tmp_counter] = alpha_num[k]

if input_url == '/':
tmp[tmp_counter+1] = 0
payload[payload_counter] = strtol(tmp,...., 13)
++outer_counter
tmp[0] = 0
tmp_counter = 0

if payload[payload_counter] == '\n'(10):
if key == 1:
system(payload)
payload[0] = 0
payload_counter = 0
elif "b4v4r14ns" in payload:
payload[0] = 0
payload_counter = 0
key = 1
```

Okay, now we've solved the major part of this challenge, but the relationship between requests and alpha_num is still not clear (line 4). We need to look at the capture file again.

We've collected the requests in the capture file and sort them in ascending order.

```
0 /pack/Png/alpha.png HTTP/1.1
1 /pack/Png/beta.png HTTP/1.1
2 /pack/Png/delta.png HTTP/1.1
3 /pack/Png/easpq.png HTTP/1.1
4 /pack/Png/fmoews.png HTTP/1.1
5 /pack/Png/gama.png HTTP/1.1
6 /pack/Png/gkreoq.png HTTP/1.1
7 /pack/Png/htqows.png HTTP/1.1
8 /pack/Png/kgtre.png HTTP/1.1
9 /pack/Png/relwpq.png HTTP/1.1
a /pack/Png/rfeko.png HTTP/1.1
b /pack/Png/tplrpe.png HTTP/1.1
c /pack/Png/true.png HTTP/1.1
```

All clues are clear now. We have the request and the mapping(shown above), so we can write the script see what happened.

```python=
!/usr/bin/env python3

with open('request') as f:
request = f.read().split('\n')[:-1]

mapping = [
"/pack/Png/alpha.png HTTP/1.1",
"/pack/Png/beta.png HTTP/1.1",
"/pack/Png/delta.png HTTP/1.1",
"/pack/Png/easpq.png HTTP/1.1",
"/pack/Png/fmoews.png HTTP/1.1",
"/pack/Png/gama.png HTTP/1.1",
"/pack/Png/gkreoq.png HTTP/1.1",
"/pack/Png/htqows.png HTTP/1.1",
"/pack/Png/kgtre.png HTTP/1.1",
"/pack/Png/relwpq.png HTTP/1.1",
"/pack/Png/rfeko.png HTTP/1.1",
"/pack/Png/tplrpe.png HTTP/1.1",
"/pack/Png/true.png HTTP/1.1",
]

base = 13
cur = []
for r in request:
if r not in mapping:
if len(cur) == 0: continue
elif len(cur) == 1:
cur = [0]+cur
print(chr(cur[0]*base+cur[1]), end='')
cur = []
else:
cur.append(mapping.index(r))
```

Result:
```
b4v4r14ns

echo 'CTF-BR{b3b3b3b3b3h4v10r}'
```